Skip to content

Remote Code Execution (RCE) in SoyCMS #9

Closed
@stypr

Description

@stypr

Title

Remote Code Execution (RCE) in SoyCMS

Summary

Severity: High

SoyCMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was reported earlier can be chained in order to perform a successful remote code execution by redirecting the administrator to load a specially crafted webpage.

Impact: XSS to RCE via Inquiry Error and Unrestricted File Upload

  • Attack vector is: Administrator must be logged in.
  • Components are: File Manager
  • Tested SoyCMS Version : 3.0.2 (latest)
  • Affected SoyCMS Version : ~3.0.2

Found by @stypr from Vulnerability Research Team in Flatt Security Inc.

Full Exploit Video: https://youtu.be/FWIDFNXmr9g

Cause

The file upload feature in FileManager is using elFinder. However, it was found out that mimetype can be fooled to upload a PHP file. There is no feature in elFinder to check the file type so it needs to be manually implemented.

$opts = array(
// 'debug' => true,
'roots' => array(
// Items volume
array(
'driver' => 'LocalFileSystem', // driver for accessing file system (REQUIRED)
'path' => $path, // path to files (REQUIRED)
'URL' => $url, // URL to files (REQUIRED)
//'trashHash' => 't1_Lw', // elFinder's hash of trash folder
'winHashFix' => DIRECTORY_SEPARATOR !== '/', // to make hash same to Linux one on windows too
'uploadDeny' => array('all'), // All Mimetypes not allowed to upload
'uploadAllow' => array('image', 'text/plain', 'text/css', 'application/zip', 'application/epub+zip','application/pdf'),// Mimetype `image` and `text/plain` allowed to upload
'uploadOrder' => array('deny', 'allow'), // allowed Mimetype `image` and `text/plain` only
'accessControl' => 'access' // disable and hide dot starting files (OPTIONAL)
),
)
);

array(
'driver' => 'LocalFileSystem',
'path' => $path,
//'startPath' => $site->getPath(),
'URL' => $url,
// 'treeDeep' => 3,
// 'alias' => 'File system',
'mimeDetect' => 'internal',
'tmbPath' => '.tmb',
'utf8fix' => true,
'tmbCrop' => false,
'tmbBgColor' => 'transparent',
'accessControl' => 'access',
'acceptedName' => '/^[^\.].*$/',
// 'disabled' => array('extract', 'archive'),
// 'tmbSize' => 128,
'attributes' => array(
//フロントコントローラー
array(
'pattern' => '/(index|im)\\.php(\\.old(\\.[0-9][0-9])?)?$/',
'read' => false,
'write' => false,
'locked' => true,
'hidden' => true,
),
)
// 'uploadDeny' => array('application', 'text/xml')
),

Remediation

Please add a file extension check from accessControl.

https://github.com/Studio-42/elFinder/blob/b3e92120a8657bdd263ad750dc9760c8d5aa2a89/php/connector.minimal.php-dist#L47-L59

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions